How to change the access_token expiry?

I’d like to change the access_token expiry to a value other than 24 hours. I’m using an SPA to access the auth0 client.

There’s a “JWT Expiration (seconds)” setting in my Auth0 client which sets the id_token timeout, but I don’t see anything to set the access_token expiry. How would I go about changing this?

2 Likes

You can set the access_token expiry via the Dashboard in the APIs section, and then the Auth0 Management API settings.

3 Likes

Thanks—I gave this a try and it seems like there’s a hard limit which auth0 does not allow to be configured:

I was able to adjust in the Dashboard for my test tenant:

Unfortunately no such luck for me:

Are you able to adjust your Token Expiration For Browser Flows (Seconds) setting?

Sorry, I see that I can adjust Token Expiration individually, but not Token Expiration for Browser Flows.

So my apologies - the section we are both looking at is the Auth0 Management API which is a system API and is not meant to be consumed in browser-based flows. You need to create a custom API which will then allow you to update that setting.

I think this is a “custom API”, at least judging by the label on the list of APIs:

Ok - so currently you are unable to adjust that setting as that one has a maximum value of 86400 or the value of the other setting (if that setting is less than 86400).

Sorry for the confusion—to summarize, I can set Token Expiration (Seconds) but not Token Expiration For Browser Flows (seconds):

token_expiration_for_browser_flows

right - so the Token Lifetime value is set as a max of 86400 and so the browser token expires after 24h. I believe you can use CheckSession() to keep the token alive

The requirement I was asked to implement is to be able to return to a session over the course of a week from browser that may have been inactive for several days without having to log back in (the JWT is stored in LocalStorage), so I don’t think CheckSession will work in this case… My understanding is that it requires a currently-valid token and an active session: Auth0.js v9 Reference

1 Like

At this time an authentication session at the Auth0 service (one that can be leveraged by checkSession) will last until the maximum lifetime is reached (configured through SSO Cookie Timeout setting in the advanced tenant settings) or the maximum inactivity time out is reached (currently set to three days and non-configurable).

In addition, and as you experienced the Token Expiration For Browser Flows (Seconds) has a hard limit of 86400 (24 hours); the maximum allowed can be less depending on how Token Expiration (Seconds) is set, but it can never be greater than 86400.

Taking in consideration the limit in the token expiration and the non-configurable inactivity timeout on the session it’s currently not possible to guarantee the requirement that a SPA is able to maintain an active local session through a complete week without asking the user to login again. It may be possible if the user is active every other day, but this is not guaranteed. I know there’s planned work on giving more control over the authentication session at the Auth0 service which could make the current inactivity timeout irrelevant and then allow the use of checkSession to meet that requirement, but at this time I don’t believe that is possible.

2 Likes

Hello,

hopefully you do understand that limiting logins to 24h is a HUGE issue and HUGE show-stopper for many of your customers who did NOT have it before April 2018 and only got it after recent upgrades (those upgrades were not optional, and the info about 24h limitation was not in upgrade email, so we had to realize new limitation simply by experiencing it as a bug that turned later on a “feature”).

Can you please elaborate on how to use checkSession() to mitigate it? It is a simple as periodically calling webAuth.checkSession() w/o parameters, here webAuth being the same javascript object initiated with var webAuth = new auth0.WebAuth({…}) ?

Best regards

5 Likes

In regards to token expiration I am currently trying to setup an expiration independently of a fixed timeframe. We would like the token to expire each midnight, no matter when the last login happened. Is this somehow possible?

thx
jens

1 Like

Is the official Auth0 answer that web session tokens can NEVER have an expiration longer than 24 hours? If so, my entire dev shop may be moving away from using Auth0 on all of our projects.

i have the opposite problem. i noticed the access token returned from oauth/token expires in 1d (86400) but the jwt/id_token expires in 36000. (a subtle gotcha…)

i tried changing Token Expiration to 36k seconds to match the id_token and it doesn’t work. my dashboard says 36k but oauth/token always returns an expires_in that is 86400.

bug? am i setting the wrong place to update the access_token expires? is there a lag in the setting taking effect?

Edit: i guess it’s not so much a gotcha as allowing for the id_token to be refreshed.

2 Likes

Depending on your library, it might also be possible to work around this limitation by ignoring the token expiry time on the client. In C#, for example, you can set TokenValidationParameters.ValidateLifetime = false.

Is there a way to set the expiry on the access token in the Authorization Code Grant Flow through the API?